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1.  Introduction 


Models  of  protection  in  computer  systems  usually  possess  two  compo- 
nents, a finite,  labeled,  directed  two  color  graph  representing  the 
protection  state  of  an  operating  system  and  a finite  set  of  graph  trans- 
formation rules  with  which  the  protection  state  may  be  changed.  Harrison, 
Ruzzo  and  Ullman  demonstrated  [1]  that  the  uniform  safety  problem  is 
undecidable,  i.e.,  no  algorithm  could  decide,  given  both  a protection 
graph  and  a set  of  transformation  rules,  whether  an  edge  with  a particular 
label  is  ever  added  to  the  graph.  The  Take-Grant  Model  [2,3,4]  has  been 
developed  in  response  to  this  negative  result  in  order  to  study  such 
questions  for  a particular  set  of  transition  rules.  Linear-time 
algorithms  have  been  formed  for  safety-like  problems  [2,3]  for  the 
Take-Grant  transition  rules.  Although  the  model  is  simple  enough  to 
permit  linear  time  decision  procedures,  it  is  rich  enough  to  implement 
many  sharing  relationships  [4].  In  this  report  we  concentrate  on 
the  formal  development  supporting  the  motivational  and  interpretive 
treatments  given  in  [4,5]. 

First,  we  characterize  the  class  of  graphs  that  can  be  created  with 
the  Take-Grant  rules.  Next,  the  oar.. steal  predicate,  first  introduced 
in  I 4 in  a limited  form,  is  developed  in  full  genera.ity  making  it 
applicable  to  the  common  situation  of  "stealing  files."  The  necessary 
and  sufficient  conditions  for  can' steal  to  be  true  can  still  be  tested 
in  linear  time. 

Another  main  topic  is  that  of  quantifying  the  amount  of  "coopera- 
tion" required  to  share  or  steal  rights.  By  the  amount  of  "cooperation" 
we  mean  the  number  of  users  (i.e.,  subject  vertices)  required  to 


I 

I 


initiate  rules  in  order  for  a particular  edge  to  be  added  to  a graph. 
This  concept  was  called  "conspiracy"  in  [2]  and  was  studied  in  [6], 
where  a lower  bound  is  derived.  The  bound  is  based  on  edge  incidence 
and  is  not  tight.  For  example,  the  class  of  graphs  of  the  form 


require  n+2  conspirators  for  p to  acquire  the  a edge  to  q,  but  in  [6] 
the  lower  bound  for  these  graphs  is  0.  The  present  formulation  uses 
the  more  flexible  notion  of  "spans"  to  assess  protection  graphs.  Exact 
conspiracy  measurements  for  arbitrary  protection  graphs  are  derived  and 
an  algorithm  for  discovering  minimum  conspiracy  is  presented. 


- * * \.t 
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2.  The  Take-Grant  Model 

The  following  development  of  the  Take-Grant  model  follows  earlier 
treatments  [2,3,4]  and  differs  in  only  inessential  ways.* 

Fix  a finite  alphabet  of  labels  R = {r  , ...,r  } u {t,g}  called 

1 m 

rights  containing  two  distinguished  elements;  "t"  is  mnemonic  of  "take" 
and  "g"  is  mnemonic  for  "grant."  A protection  graph  is  a finite,  directed, 
loop-free,  two  color  graph  with  edges  labeled  by  subsets  of  R.  (Braces 
around  subsets  are  elided.)  Solid  vertices,  •,  are  called  subjects, 
empty  vertices,  o,  are  called  objects;  vertices  of  either  type  are 
denoted  by  ®. 


Four  rewriting  rules  are  defined  to  enable  a protection  graph 
to  change: 


Take:  Let  x,  y,  and  z be  three  distinct  vertices  in  a 

protection  graph  G such  that  x is  a subject.  Let  there 
be  an  edge  from  x to  y labeled  y such  that  "t"  t y,  an 
edge  from  y to  z labeled  6 and  a c g.  Then  the  take 
rule  defines  a new  graph  G'  by  adding  an  edge  to  the 
protection  graph  from  x to  z labeled  ex.  Graphically, 


The  rule  can  be  read:  "x  takes  (a  to  z)  from  y." 

Grant:  Let  x,  y,  and  z be  three  distinct  vertices  in  a 

protection  graph  G such  that  x is  a subject.  Let  there 
be  an  edge  from  x to  y labeled  y such  that  "g"  e y, 
an  edge  from  x to  z labeled  B<  and  a c g.  The  grant 
rule  defines  a new  graph  G'  by  adding  an  edge  from 
y to  z labeled  a.  Graphically, 
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The  rule  can  be  read:  "x  grants  (a  to  z)  to  y, 


♦Specifically,  the  "call"  rule  of  [2]has  been  dropped,  r and  w (used  in 
[2]),  are  replaced  by  t and  g,  respectively,  and  "inert"  rights  [5,6] 
are  permitted. 
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Create:  Let  x be  any  subject  vertex  in  a protection  graph 
G and  let  a be  a subset  of  R.  Create  defines  a new 
graph  G'  by  adding  a new  vertex  n to  the  graph  and  an 
edge  from  x to  n labeled  a.  Graphically, 


The  rule  can  be  read:  "x  creates  (a  to)  new  n. 

object 

Remove:  Let  x and  y be  any  distinct  vertices  in  a protection 
graph  G such  that  x is  a subject.  Let  there  be  an  edge 
from  x to  y labeled  6 , and  let  a be  any  subset  of  rights. 

Then  remove  defines  a new  graph  G'  by  deleting  the  a 
labels  from  S . If  6 becomes  empty  as  a result,  the  edge 
itself  is  deleted.  Graphically, 

8 8 -a 

• ►«  =>  • ►«  . 

x y x y 

The  rule  can  be  read:  "x  removes  (a  to)  y." 

In  these  rules,  x is  called  the  initiator. 

Application  of  rule  o is  denoted  by  g| G'.  The  reflexive 

P 

i * 

transitive  closure  of  this  relation  is  denoted  G| G'.  The  notation 

x y abbreviates  "there  exists  an  edge  from  x to  y in  G labeled  y 
and  a £ y . " Figure  1 illustrates*  the  definitions.  Although  there 
are  additional  concepts  to  be  introduced  the  development  thus  far  is 
adequate  for  proving  a characterization  result. 


Z.  Take-Grant  Definable  Graphs 

In  [4]  it  was  argued  that  the  protection  graphs  actually  used  in 
an  operating  system  will  be  generated  by  a fixed  set  of  rule  protocols, 
e.g.,  by  the  operating  system  supervisor,  editors,  compliers,  etc. 
Hence,  it  is  important  to  know  what  class  of  graphs  can  be  generated  by 


•Dashed  lines  are  used  in  illustrations  as  a visual  aid.  Also,  even 
though  there  is  only  one  directed  edge  from  any  vertex  a to  any  vertex 
b,  we  occasionally  draw  two  to  emphasize  changes  in  labelling. 


Figure  1:  Vertex  a acquires  g rights  to  b,  i.e.,  g is  added  to  the 

label  on  the  a to  b edge.  The  rule  applications  may  be  read 

a creates  (tg  to)  new  object  d, 

a grants  (g  to  d)  to  c, 

c grants  (g  to  b)  to  d, 

a takes  (g  to  b)  from  d. 
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the  Take-Grant  rules.  Since  vertices  cannot  be  deleted  and  all  of  the 
rule  applications  require  that  the  initiator  be  a subject,  an  "all 
object"  graph  is  impossible.  A complete  characterization  is  presented 
in  the  next  the^  am. 

Theorem  3.1:  Let  GQ  be  a protection  graph  containing  exactly 

one  subject  vertex  and  no  edges.  Then  GQ| G if  and  only 

if  G is  a finite,  directed,  loop-free,  two  color  graph 
with  edges  labeled  from  subsets  of  R such  that  at  least 
one  subject  has  no  incoming  edges. 

Proof:  Let  v be  the  initial  subject,  and  GQ  | G.  G is 

obviously  finite,  directed,  loop-free  and  two  colored  with  the  indicated 

labelling.  Since  vertices  cannot  be  destroyed,  v persists  in  any  graph 

derived  from  GQ.  Inspection  of  the  rules  indicates  that  edges  cannot 

be  directed  to  a vertex  that  has  no  incoming  edges.  Conversely,  let  G 

satisfy  the  requirements.  Identify  v with  some  subject  x^  with  no 

incoming  edges  and  let  G have  vertices  x, ,x_, ...,x  . Follow  these 

12  n 

steps : 

(3.1)  Perform  "v  creates  (a  u {g } to)  new  x^  for  all 
x^  (2£i<n)  where  a is  the  union  of  all  edge  labels 
incoming  to  x^  in  G; 

(3.2)  For  all  x.,x,  such  that  x.  — - — ► x,  perform  "v  grants 

13  1 G 3 

( a to  x . ) to  x . " 

3 1 

(3.3)  If  3 is  the  (possibly  empty)  set  of  edges  from  x^  to 
x^  in  G,  then  execute  "v  removes  ((a  u {g } ) — 6)  to  x " 
for  2£i£n. 

The  result  follows  by  a simple  induction.  0 


k 
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d Predicates  and  earlier  results 


Several  properties  ci  paths  will  be  extremely  important  in  our 

later  development.  A sequence  of  vertices  x , ...,x  is  a path  in  G if 

0 n 


x . — - — ► x . , or  x . , , — — 
i G l+l  l+l  G 


x^,  0<i<n.  Thus  paths  are  defined  independ- 


ent of  direction.  Vertices  p and  q of  G are  tg-conneoted  if  there  is 

a path  p = x„,...,x  = q and  the  label  a on  the  edge  between  x.  and 

O n l 

x contains  t or  g.  An  island  of  G is  a maximal,  tg-connected  subject- 
only  subgraph  of  G. 

The  edge  alphabet  is  composed  of  four  letters  {t,g,t,g}.  Let 

x — - — *■  y (resp.  x — t — ► y)  then  the  letter  t (resp.  g)  is  assocr^ated 
G G 

with  the  edge.  Words  are  associated  with  paths  in  the  obvious  way; 


for  example,  •- 


has  the  words  ttg  and  tgg  associated 


with  it.  A path  xo'"'’'Xn  is  an  initial  span  if  it  has  an 

associated  word  in  { t g } , it  is  a terminal  span  if  n>0  and  it  has  an 

..**■  * . 

associated  word  in  {t  },  and  it  is  a bridge  if  (a)  n>l  and  x„  and  x 

^ On 

are  subjects,  (b)  an  associated  word  is  in  { t ,t  ,t  gt  , t gt  }, 

and  (c)  the  x^  are  objects  (i<i<n) . Note  that  initial  and  terminal 

spans  have  an  orientation,  i.e.,  x^  is  the  source  of  the  spans.  We 

say  x initially  or  terminally  spans  to  x . 

0 n 

In  order  to  share  information  in  the  protection  system,  an  edge 
pointing  from  the  recipient  to  the  information  shared  must  be  added  to  the 
protection  graph  by  means  of  a sequence  of  rule  transformations  of  the 
graph.  Accordingly,  we  may  define  for  a set  of  rights  a and  vertices  p 
and  q of  a protection  graph  GQ,  the  predicate 


can'share  ( o,p,q,G  ) *»  there  are  protection  graphs  G,  ,...,G 
o t In 

such  that  Gq| — - — G^  and  p — - — + q. 

n 
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When  interest  is  restricted  to  protection  graphs  containinq  only  subjects, 
we  have 

Theorem  4.1  [2]:  For  a subject  only  protection  graph  , 

can*share (c,p,q,G0)  is  true  if  and  only  if  the  following 
two  conditions  hold. 


Condition  1:  There  exist  vertices  s,,...,s  such  that  for 

1 u 

Yi 

each  i,  l<i2u;  s.  — ► q and  a = y u ...  u y ; 

1 G0  1 U 

Condition  2:  p is  tg-connected  to  each  s.,  l<i<u. 


The  conditions  under  which  can' share  holds  for  general  protection  graphs  are 
somewhat  more  complicated.  In  particular,  Condition  1 must  ba 
augmented  by  Condition  3: 


Condition  3:  There  exist  subject  vertices  p'  and 
s' s;  such  that 

(a)  p = p'  or  p'  initially  spans  to  p; 

(b)  s.  = s!  or  s!  terminally  spans  to  s . ; 

ill  i 

and  Condition  2 must  be  recast  in  terms  of  bridges  and  islands: 

Condition  4:  For  each  (p',s|)  pair  (l<i<u)  there  exist 

islands  I,,..., I W^l)  such  that  p'  e I, , s!  c I 
1 v 1 1 v 

and  there  is  a bridge  from  I . to  I . , (l<j<v) . 

3 3+1 

Clearly,  Condition  4 is  simply  Condition  2 for  the  case  v = 1.  The 
counter  part  to  Theorem  4.1  for  general  protection  graphs  is 

Theorem  4.2  [3]:  The  predicate  ear.- share  ( a,p,q,GQ)  is 
true  if  and  only  if  Conditions  1,  3,  and  4 hold. 


As  corollaries, 


it  is  known  that  there  are 


algorithms  operating  in 


linear  time  in  the  size  (V+E)  of  the  graph  to  test  both  predicates. 


5.  Theft 


The  can' share  predicate  presumes  perfect  cooperation  from  all 
users  (i.e.,  subjects) . The  oan-steal  predicate  must  capture  the 


notion  that  a subject  vertex  acquires  a new  right  without  any  cooperation 
from  an  original  owner.  Formally,  for  two  vertices  p and  q in  a protection 


graph  G , and  right  a,  define 

oan-steal (a,p,q,G  ) =>  ~ p — ^ — ► q and  there  exist  protection 
° G0 

graphs  G, , . . . , G such  that 
1 n 


(5.1)  G 


otGit  •" 

12  n 


(5.2)  p — — — *•  q,  and 

G 

n 

(5.3)  if  s — ^ — »■  q then  no  p.  has  the  form 

G0 

"s  grants  (a  to  q)  to  x for  any  x , e g^  1?l<j<n. 
Clearly,  p,  q and  s must  be  distinct  since  these  are  protection  graphs. 


Theorem  5.1:  For  vertices  p and  q in  a protection  graph, 
Gq  and  right  a,  oan-steal  (a,p,q,G  ) if  and  only  if 

the  conjunction  of  the  following  conditions  holds: 

(l)  ~ p — — -+  q, 

Go 

(ii)  there  is  a subject  p*  such  that  p = p'  or 
p'  initially  spans  to  p, 


(iii)  there  is  a vertex  s such  that  s 
oar.' share  (t,p,  s,GQ)  . 


q and 


Proof:  (=)  Suppose  oan-steal (a, p,q,GQ)  is  true.  Condition  (i)  of 

the  theorem  holds  by  definition.  Let  n be  the  smallest  integer  such  that 


3 A j G.  I . . . I G and  p 

O'p,  l’p.  ’p  n y 

12  n 


q.  If  p is  a subject,  (ii)  holds. 


so  suppose  p is  an  object.  If  no  p’  exists,  then  for  all  x can-share (a,p,x,GQ) 
is  false,  contradicting  (4.2).  Similar  reasoning  assures  the  existence 
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of  x such  that  s — — *■  q,  so  we  concentrate  on  showing  the  necessity  of 
G0 

can  •share  (t,p,  s,G  ) . Let  T = {s|s  — — *■  q}.  Let  i be  the  least  index 

° 

such  that  in  G.  there  is  a vertex  z,  , and  z,  *-  q,  but  ~ z — - — ► q. 

i 1 1 G:  1 G.  , n 

1 l-l 

The  operation  causing  this  edge  to  be  added  cannot  be  a grant,  since 
can' steal  is  true  and  those  vertices  pointing  to  q with  a labels  in 
G^_1  are  the  same  as  those  in  GQ.  The  operation  must  be  a take  of  the 
form: 

•- 

z 

for  some  s e T.  Let  z , ...,2^  = p be  the  other  vertices  (in  order  of 
appearance)  that  are  assigned  a labeled  edges  to  q in  the  derivation. 

Then  an  alternative  derivation  could  be  formed  where  each  rule  of  the 
form 

z . takes  (a  to  q)  from  x . 

3 3 

or 

x_.  grants  (a  to  q)  to  z_. 

is  replaced  by 

z.  takes  (t  to  s)  from  x. 

3 3 

or 

x_.  grants  (t  to  s)  to  Zy 

respectively,  for  25j<l,  provided  x_.  = z_.  But  this  latter  equality 

most  hold  since  the  derivation  is  a shortest  one.  Thus,  can'share  (t,p,s ,GQ) 
proving  that  (iii)  holds. 


(«)  Suppose  the  three  conditions  hold. 


Then  if  p is  a subject,  the 


theorem  is  immediately  satisfied  since  p can  take  (a  to  q)  from  s once 

it  gets  the  t right  to  s.  If  p is  an  object  then  can- share (t,q, s,GQ) 

implies  there  is  some  subject  p'  initially  spanning  to  p and 

aan'share (t,p' ,s ,G) . If  ~ p'  -p — ► q then  p'  can  take  the  right  (a  to  q) 

°a 

from  s and  grant  it  to  p.  If  p'  — — *■  g then  the  following  sequence  enables 

Go 

p*  to  form  a surrogate  vertex  n to  transmit  the  right  (a  to  q)  to  p 


given  that  p'  — — ► s and  p*  — * — ► p: 

G_  G . 

0 l 


p' 

creates 

(g  to) 

a new  subject  n 

p' 

grants 

(t  to  s) 

to  n; 

p' 

grants 

(g  to  p) 

to  n. 

(These 

steps  are  legal 

even  if  a=t.) 

Then  n completes  the  task  with  operations: 

n takes  (a  to  q)  from  s; 
n grants  {a  to  q)  to  p. 

This  is  a witness  for  aan'Steal (a, p,q,GQ)  proving  the  theorem. 

Corollary  5.2:  There  is  an  algorithm  to  test  the  aan'Steal 

predicate  that  operates  in  time  linear  in  the  size  of  the 
protection  graph. 


6.  Conspiracy 

In  this  section  we  are  concerned  with  the  amount  of  "cooperation" 
required  to  effect  the  sharing  or  stealing.  This  cooperation  has  been 
called  "conspiracy"  [2]  and  for  a given  sequence  of  legal  rule  applica- 
tions p o , it  is  simply  |{x|x  initiates  p.}L  Our  concern  in 

this  section  is  determining  for  a given  true  predicate  aan' share (a ,p ,q,G^) 
the  minimum  conspiracy  required  to  produce  a G^  that  is  a witness  to  its 
truth.  We  will  be  able  to  find  the  exact  value  for  arbitrary  protection 


graphs. 
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Let  G be  a protection  graph  and  y a subject  vertex,  then  the 

access-set  with  focus  u 

A(y)  =def  (y)  u (x|y  initially  spans  or  terminally  spans  to  x}. 

Clearly,  for  a given  focus  y in  G,  A(y)  in  unique.  Access  sets  will  be 
used  to  measure  the  size  of  the  conspiracy. 

For  the  remainder  of  the  section,  we  restrict  our  attention  to 

protection  graph  G with  vertices  p = x_,...,x  = s,  x , = q.  An  edge 

0 n n+1 

in  G either  forms  a tg-connection  between  x.  , and  x.  (l<i<n)  or  is 

l-l  1 

s — - — *•  q.  We  suppose  that  can* share  (a ,p ,q,G)  holds. 

Say  that  a vertex  is  a tg-sink  if 

(6.1)  the  vertex  is  xQ  and  the  only  letter  associated  with  the 
XqjX^  edge  is  t, 

(6.2)  the  vertex  has  incident  edges  whose  only  associated  word 
is  in  i tt , gg  > or 

(6.3)  the  vertex  is  x and  the  only  letter  associated  with  the 

n J 

-*■ 

x , ,x  edge  is  g. 
n-1  n 

The  motivation  for  this  definition  will  become  evident  in  the  claim 
of  Theorem  6.1. 

An  access-set  cover  for  0 with  foci  is  a family  of  sets 

A (y  ),..., A (y  ) such  that  for  each  i (l£i<n)  vertices  {x.  , ,x,  } c A(y.) 

1 u 1-1  i ~ 

for  some  j,  l<j$u.  Note  that  the  subject  requirement  of  access-sets 

might  prevent  certain  tg-connected  paths  from  having  a cover.  It  will  become 

clear  from  the  subsequent  theorems,  however,  that  a tg-path  has  an 


access-set  cover  if 


— . n 
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and  only  if  can-share (a, p,q,GQ)  is  true.  Finally,  an  access  set  cover 
is  said  to  be  nininal  if  it  minimizes  u over  all  access  set  covers. 

First  we  establish  a lower  bound. 

Theorem  6.2:  Let  Gq  be  a tg-connected  path  p = xQ,...,x^  = s 
such  that  can- 3hare  (a,p,q,GQ)  is  true.  Let  k be  the 
number  of  access  sets  in  a minimal  cover  of  G^,  and  £ the 
number  of  tg-sinks.  Then  k+t  initiators  are  necessary. 

Proof:  Let  p....,p  be  the  minimal  set  of  rules  required  for  a 
1 v 

minimal  set  of  initiators  y^,...^^  to  implement  can-share {a, p,q,GQ) . 

To  see  that  the  access  sets  A (y, ),..., A (y  ) with  initiator  foci 

1 u 

y yu  cover  GQ,  note  that  x i A(yJ  for  all  i implies  that  no  initiator 

can  take  from  or  grant  to  x,  so  x and  its  incident  edges  can  be  removed 

without  affecting  rules  . But  this  violates  the  connectedness  , 

Condition  4 of  can-share.  Thus,  the  access  sets  A (y, ),..., A (y  ) at 

1 u 

least  cover  G^. 

Clair:  Every  vertex  x^  that  is  a tg-sink  must  be  an  initiator. 

Proc *'  o'  Clair:  First  note  that  each  such  x.  must  be  a subject 

• ' l 

^ 4- 

by  Condition  4.  Suppose  x^  fails  to  satisfy  the  claim  and  tt  is  asso- 
ciated with  x ’s  incident  edges.  Then  no  rule  p.  of  the  form  "z  takes 
i D 

iS  to  y)  fromx/’  is  ever  executed  since  x^  has  no  out  edges  and  it  cannot 

be  assigned  any.  Furthermore,  since  v,  the  number  of  rules,  is  minimal, 

no  rules  of  the  form  "z  takes  (t  to  x.)  from  x.  , " or  "x  , grants 

l i-l  l-l 

(t  to  x.)  to  z"  are  ever  executed  since  no  use  could  be  made  of  the  t 

l 

right  thus  assigned;  a similar  situation  holds  for  x transmitting  its 
t right  to  x^.  Thus  x^  and  its  incident  edges  can  be  deleted  violating 


the  connectedness  Condition  4. 


A 
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If  gg  is  associated  with  xVs  incident  edges,  no  rule  of  the 
form  "z  grants  ( S to  y)  to  x^”  is  ever  executed  since  that  right  cannot 
be  transmitted  by  xi  and  v is  assumed  minimal.  As  with  the  tt  case  there 
is  no  need  for  any  p to  transmit  the  g right,  so  x^^  can  be  eliminated  and 
thus  the  connectedness  condition  is  violated.  The  situation  for  the  end 
points  is  analogous.  The  claim  follows. 

Let  y1 , . . . .y^  be  the  tg-sink  initiators.  Then  A(y  ) , . . . ,A (y£ ) 
are  singleton  sets.  Moreover,  each  of  these  vertices  is  a member  of  its 
adjacent  access-sets.  Thus,  the  other  access-sets,  A(y^+1) , . . . ,A(y^  ) 

(i+k  = u)  constitute  a cover  for  . The  theorem  follows.  Q 

Some  discussion  is  in  order.  Basically,  edges  can  be  transmitted 
by  an  initiator  to  any  vertex  in  its  access  set.  Edges  are  passed  "along 
the  path"  because  access  sets  will  overlap.  If  one  initiator  can  take 
from  the  common  element  and  the  other  can  grant  to  it,  then  edges  can 
move  from  one  access  set  to  the  next.  But  if  the  common  vertex  is  a 
tg-sink,  then  it  must  aid  in  the  communication. 

Next  we  establish  a matching  upper  bound,  but  first  a lemma  will 
simplify  matters. 

Le'~~r.z  ?.2:  Let  x ....,x  be  a tg-connected  path  and 
On 

A (y  ) , . . . , A (y  ) a minimal  access-set  cover  ordered 

i.  K 

a 

by  increasing  indices  of  x^.  If  y^+^  — ~ — * q then 

there  exists  C'  such  that  y.  — — y*  q and  all  rules  in 
i * 1 c 

G| 3'  are  initiated  by  y^,  y^+^,  and  perhaps, 

their  common  element. 

Proof:  Let  z = A(y^  ) n A(y^+1).  Consider  the  spans  to  z from 

* 

y^  and  y^+^.  The  notation  "take  r"  means  "perform  enough  takes  to 


acquire"  right  r. 
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span  from  span  from 

yi  to  z yi+l  to  z rule  sequence 

(6.4)  terminal (t  ) terminal (t  ) z is  necessarily  a subject,  since  t t 

isn't  a bridge. 

(a)  z creates  (tg  to)  new  n, 

(b)  y^+1  takes*  (g  to  n)  from  z via 
elements  of  the  span, 

(c)  y grants  (a  to  q)  to  n 

(d)  y^  takes*  (a  to  q)  from  n. 

(6.5)  terminal(t  ) initial(gt  ) (a)  v.  , takes*  (g  to  z)  from  elements 

1+1 

of  the  span, 

(b)  y grants  (a  to  q)  to  z, 

(c)  y^  takes  (a  to  q)  from  z. 

-*■*  -4  -<-* 

(6.6)  initiaKt  g)  terminal (t  ) (a)  y^  creates  (tg  to)  new  n, 

(b)  y^^  takes*  (g  to  z)  from  elements  of 
the  span , 

(c)  y^  grants  (g  to  n)  to  z, 

(d)  yi+1  takes*  (g  to  n)  from  z via  elements 
of  the  span, 

(e)  y grants  (a  to  q)  to  n, 

(f)  y takes  (a  to  q)  from  n. 

■+^4  44  * 4 * 444  * 

(6.7)  initiaKt  g)  initial(gt  ) z is  necessarily  a subject  since  t ggt  isn't  a bridge. 

(a)  y^  creates  (tg  to)  new  n, 

(b)  y^  takes*  (g  to  z)  from  elements  of 
span, 

(c)  y grants  (g  to  n)  to  z, 

(d)  y grants  (a  to  q)  to  z via  elements 
of  span, 

(e)  z grants  (a  to  q)  to  n, 

(f)  y^  takes  (a  to  q)  from  n. 

Except  for  (6.4a)  and  (6.7e)  the  vertices  initiating  the  rules  are 

either  y , or  y . , . 

l l+l 


□ 
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Corollary  6.3:  For  adjacent  access  sets  A(y.)  and  A(y. 

1 l+l 

a rights  to  q can  be  transferred  from  y.  , to  y . with  no 

l+l  l 

other  initiators  unless  there  are  consecutive  edges  labeled 

tt  or  gg  . In  this  case,  one  additional  operation  initiated 

by  z = A (y . ) n A(y.  ,)  is  sufficient, 
l l+l 

Let  can-share  (a,p,q,G  ) hold  via  the  tg-connected  path  p = x . ...,x 

0 On 

= s and  let  A (y, ) , . . . , A (y,  ) be  a minimal  access-set  cover.  Let  2 be  the 
1 k 

number  of  tg-sinks  . 

Theorem  6.4:  For  p to  acquire  a rights  to  q,  k+2  initiators 
suffice. 

Proof:  Clearly,  p e A(y. ),  s e A(y.  ) . If  s = y,  then  y,  — 1 ► q. 

1 K K K 

If  y^  terminally  spans  tc  s,  then  y^  takes*  (a  to  q)  from  s via  elements 
of  span.  If  y^  initially  spans  to  s,  then  s is  necessarily  a subject 
by  conditions  of  can' share  and  rules  (6.5a-b)  (with  s = and 

y^  = z)  suffice  to  transfer  (a  to  q)  to  y^.  In  all  three  cases  y^  — — — + q 
and  we  have  a basis  step.  Lemma  6.2  can  now  be  inductively  applied,  and 

Ci 

y^  ► q.  If  y^  = p we  are  done.  If  y^  initially  spans  to  p then 

y^  takes*  (g  to  p)  from  elements  of  the  span  and  it  grants  (a  to  q)  to 
p.  If  y terminally  spans  to  p then  p is  necessarily  a subject  by 
conditions  on  oan'share  and  (6.4a-c)  (with  p = z,  i = 0)  suffice  to 
transfer  (a  to  q)  to  p.  (Note,  use  of  (6.4a)  implies  the  addition  of 
another  initiator,  namely  p,  but  this  is  counted  in  the  definition  of 
tg-sink.  The  case  is  similar  for  use  of  (6.5a-b)  by  above.) 

7.  Conspiracy  in  general  grccphs 

Although  the  theorems  of  the  last  section  give  an  exact  measurement 
of  the  number  of  initiators  required  for  sharing,  they  only  apply  to  paths. 


- 
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i 


I 

I 

I 


In  general,  extending  these  results  to  graphs  cannot  be  done  simply  by 
poking  for  vertex  disjoint  paths.  For  example,  if  G is  the  graph 


the  (only)  vertex  disjoint  path  from  p to  s does  not  qualify  as  a legal 
path  for  can'share (a, p,q,G)  to  hold,  even  though  the  predicate  is  true. 
Working  from  the  earlier  development  we  now  present  a finer  analysis 
applicable  to  general  graphs. 


Recall  that  if  v e A(x) , the  access  set  with  focus  x,  there  are 
three  possible  conditions  any  subset  of  which  v can  satisfy:  v is  the 
focus  of  A (x)  (i.e.,  v = x) , x initially  spans  to  v or  x terminally 
spans  to  v.  Each  of  these  properties  is  said  to  be  a reason  for 
V € A (X)  . 


Given  a protection  graph  G with  subject  vertices  x * we 

will  define  a new  graph,  the  conspiracy  graph,  H,  determined  by  G. 

H has  vertices  y,,...,y  and  each  y.  has  associated  with  it  the  access- 
1 n 1 

set  A(x  ).  There  is  an  undirected  edge  between  y^  and  y_^  provided 


(x  ,x_.)  / 0 where  5 is  called  the  deletion  operation  and  is  defined  by: 


f(x,x')  «®  return  all  elements  in  A(x)  h A(x')  except  thoce  z 
for  which  either  (a)  the  only  reason  z € A(x)  is  x 
initially  spans  to  z and  the  only  reason  z ( A(x')  is  x' 
initially  spans  to  z or  (b)  the  only  reason  z ( A(x) 
is  x terminally  spans  to  z and  the  only  reason  z € r.(x') 
is  x'  terminally  spans  to  z. 


The  graph  thus  constructed  is  called  H.  See  the  example  in  Figure  2. 


Let  H be  constructed  from  G as  just  described.  Define  the  sets 
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y = {y . | x . = p or  x . initially  spans  to  p}, 
p x'  x x 


yg  = {yjx.  = s or  x.  terminally  spans  to  s}. 


Then  we  will  argue  that  the  number  of  vertices  on  a shortest  path  from 
an  element  y^  e y^  to  an  element  y^  e yg  in  H is  the  number  of  conspira- 
tors necessary  and  sufficient  to  produce  a witness  to  can 'shave (a p,q,G) 


Let  |s.p.|  denote  the  length  of  a shortest  path  between  y^  and  y^. 


First  we  must  establish  that  the  conspiracy  graph  captures  the 
notion  of  sharing. 


Lemma  7.1:  Can.' shave  (a,p,q,G)  is  true  if  and  only  if  some 


y,  e y is  connected  to  some  y e y . 
1 p ns 


Proof:  If  the  vertex  z mentioned  in  the  definition  of  5 is  restricted 


to  being  an  object  element  of  A(xJ  n A(x_.)  the  lemma  is  easily  proved  from 


Theorem  4.2  by  observing  that  the  islands  of  G form  connected  components 
of  y's  in  H and  the  edges  between  these  components  correspond  to  bridges. 


(Deletion  of  object  elements  is  obviously  necessary  in  order  to  remove 


false  bridges  of  the  form  t t and  t ggt  .)  Also,  note  that  even  with 


subject  deletions,  if  y.  and  y are  connected  oar.' shave  (a ,p, q, G)  is 

1 n 

true.  So  the  remaining  case  is  when  oan'Shave  (a,p,q,G)  is  true  but 


removal  (by  5 ) of  z from  A(xJ  n A(x_.)  prevents  y^  and  y^  from  being 


connected.  Let  z be  associated  with  y . Note  that  since  z is  a focus 

z 


it  has  reason  to  be  in  A(x.)  n A(z)  and  in  A(z)  n A(x.).  Thus  there 

i 3 


are  edges  in  H between  y.  and  y and  between  y and  y..  Thus,  the 

l z z j 


absence  of  an  edge  between  y^  and  y_.  cannot  prevent  y^  and  y^  from  being 


connected,  since  there  is  a path  between  y^  and  y_.  in  any  case.  0 


Notice  from  the  proof  that  the  effect  of  deleting  subjects  via  5 


is  to  prevent  two  foci,  y^  and  y_.  from  being  directly  connected  when 
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(I 

I 

|; 

their  only  connecting  spans  contain  a tg-sink.  By  deleting  such  ver- 
tices, we  force  y^  and  y^  to  be  connected  by  a path  of  two  edges  -- 

a means  of  easily  counting  the  tg-sink  as  a conspirator.  'i 

I I 

Theorem  7.2:  To  produce  a witness  to  oan'share  (a, p,q,G) 

| s - p . | conspirators  are  sufficient. 

Proof:  A simple  induction  on  the  spans  corresponding  to  the  edges 
of  the  s.p.  using  Lemma  6.2  proves  the  result  provided  we  observe  the 
following  point.  Since  p,q,s  are  distinct  and  the  y^  on  the  s.p.  are 
distinct,  all  rules  given  in  Lemma  6.2  can  be  performed  provided  the 
foci  of  the  access-sets  are  different  from  their  common  element(s) . 

By  inspection  of  the  rules  of  Lemma  6.2,  whenever  a focus  and  common 
element  coincide  the  rule  whose  application  is  prevented  (by  distinct- 
ness  of  vertices  for  rule  applications.  Sec.  2)  provides  a right  that 
is  already  possessed  (e.g.,  rule  6.5c,  y.  = z)  or  it  provides  a right  used 
in  the  subsequent  rule  to  acquire  a right  already  possessed  (e.g., 
rule  6.5a  and  6.5b,  y = z) . In  these  cases  the  rule  whose  application 
is  prevented  is  not  needed.  □ 

Theorem  7.3:  To  produce  a witness  to  oan'share  (a,p,q,G) 

! s . p . ] conspirators  are  necessary. 

Proo Let  y,  = z,,...,z  = y be  vertices  along  a shortest  path 

" 11  u n 

from  y to  y . If  there  exist  only  vertex  disjoint  tg-connected  paths 
1 n 

in  G from  z.  to  z . , (isi<u)  then  the  z.  are  foci  of  an  access-set  cover 
i l+l  l 

for  the  path.  By  construction  there  are  no  tg-sinks  and  if  y ^ 

not  associated  with  p (resp.  y not  associated  with  s)  then  the  subject 

n j 

associated  with  y_  (y  ) initially  (terminally)  spans  to  p (s)  and  so  it 
1 n 


I 


counted  as  a conspirator. 


?.  Cone  Zudina  Remarks 


The  development  of  the  conspiracy  results  provides  a reasonably 
clear  picture  of  how  sharing  is  accomplished  in  the  Take-Grant  Model. 

In  particular,  the  notion  of  access-set  describes  that  portion  of  a 
protection  graph  under  direct  "control"  of  the  subject  which  is  its 
focus.  Communication  outside  of  this  region  of  influence  requires 
the  cooperation  of  other  subjects.  This  information  will  doubtless  be 
useful  for  designers  of  specific  protection  systems  as  explained  in  [4~. 

Several  problems  remain  open.  First,  there  ^.s  the  question  of 

algorithmic  complexity  of  -determining  the  minimum  number  of  conspirators 

required  for  a right  to  be  shared.  In  Section  7 this  is  determined  by 

finding  a shortest  path  in  a conspiracy  graph.  That  question  is  obviously 

a linear  time  process,  but  the  construction  of  a conspiracy  graph  (as 

2 

described)  requires  n operations  for  an  n subject  graph  just  to  fill 


The  remaining  case  is  for  an  induced  path  that  is  not  vertex  dis- 
joint. Although  redundant  rule  applications  may  arise,  it  is  clear  that 
duplicated  vertices  along  a span  are  not  harmful  to  the  lemma  unless  they 
reduce  the  number  of  required  conspirators.  Suppose  that  conspirators 

z,,...,z.  ,,z.  z can  produce  a witness.  Then  there  is  a 

1 1-1  1+1  u 

w e A(z.  , ) nA(z.  ,).  But  by  choice  of  the  z.  vertices  on  a shortest 
l-l  l+l  J l 

path  there  is  no  edge  between  z.  , and  z.  , . Thus,  w i-  z.  , , w ^ z.  , 

l-l  l+l  l-l  l+l 

and  w / 5(z.  . , z But  this  implies  (if  w is  an  object)  that  there 

1-1  1+1 

is  no  bridge  between  z^_^  and  z^+^  (contradicting  by  Lemma  7.1  the 

assumption  z , ...,z,  , z.  ,...,z  are  sufficient)  or  it  implies  (if  w 

1 i-l  i+l  n 

is  a subject)  the  presence  of  a tg-sink.  By  Theorem  6.1  w must  be 


in  the  edges.  A simpler  scheme  that  does  not  depend  on  the  explicit 
construction  of  the  conspiracy  graph  could  be  envisaged. 

Another  issue  is  to  determine  for  a given  graph  what  r"it  of  conspira- 
tors must  have  participated  in  the  sharing  of  a right  after  the  fact. 

The  test  is  complicated  by  the  fact  that  certain  rights  could  have  been 
removed  in  order  to  hide  the  conspiracy.  One  might  be  able  to  infer 
from  the  structure  of  the  graph  that  even  though  a subject  has  deleted 
the  conspiratorial  rights,  they  once  existed. 
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